IIS FastCGI 上的 PHP 是否可以进行 HTTP 身份验证?
我刚刚从使用 php5isapi.dll 的 PHP 5.2.3 迁移到使用 FastCGI 和 php-cgi.exe 的 PHP 5.3.0。在这个网站上,我有用于 windows/ntlm/http 身份验证的钩子,执行如下操作:
if(empty($_SERVER["REMOTE_USER"]))
{
header("HTTP/1.1 401 Unauthorized");
exit;
}
$winuser = $_Server["REMOTE_USER"];
//parse $winuser to make sure it is on my domain, and can login to the site.
//set a cookie specifying that this user is logged in
//redirect to site.
这在带有 isapi 的 PHP 5.2.3 下工作得很好。现在我已经转移到 IIS6 上的 FastCGI,它坏了。它对我有用,但我的服务器上有管理员。那些没有管理员的人(大多数人)会看到以下内容的一些变体:
FastCGI Error
The FastCGI Handler was unable to process the request.
________________________________________
Error Details:
• The FastCGI process exited unexpectedly
• Error Number: -1073741819 (0xc0000005).
• Error Description: Unknown Error
HTTP Error 500 - Server Error.
Internet Information Services (IIS)
我已尝试浏览文档和日志文件,但似乎无法取得任何进展。我实际上并不希望使用远程用户名来访问我的 .php 文件,我只想获取名称并与我的数据库匹配。匿名用户应该仍然是实际执行 php 的人。
有线索吗?
I've just migrated from PHP 5.2.3 using php5isapi.dll to PHP 5.3.0 using FastCGI and php-cgi.exe. On this site I have hooks for windows/ntlm/http authentication doing something like this:
if(empty($_SERVER["REMOTE_USER"]))
{
header("HTTP/1.1 401 Unauthorized");
exit;
}
$winuser = $_Server["REMOTE_USER"];
//parse $winuser to make sure it is on my domain, and can login to the site.
//set a cookie specifying that this user is logged in
//redirect to site.
This worked just great under PHP 5.2.3 with isapi. Now that I've moved to FastCGI on IIS6, it is broken. It works for me, but I have administrator on the server. Those without administrator (most people) see some variant of the following:
FastCGI Error
The FastCGI Handler was unable to process the request.
________________________________________
Error Details:
• The FastCGI process exited unexpectedly
• Error Number: -1073741819 (0xc0000005).
• Error Description: Unknown Error
HTTP Error 500 - Server Error.
Internet Information Services (IIS)
I have tried plowing through documentation and log files, but can't seem to make any headway. I don't actually want the remote username to be used to access my .php files, I just want to grab the name and match to my database. The anon user should still be the one doing the actual php execution.
Any leads?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
取得了一些进展,但还没有真正的解决方案。
遵循此处的建议很有用:FastCGI 文档
特别是安全建议部分。这使我的错误脱离了 FASTCGI 500 并进入了 php 错误日志。
看来 PHP/IIS/FastCGI 想要通过任何用户尝试验证而不是匿名用户来访问会话目录(我的是 C:\PHP\Session)。
将该文件夹的“修改”权限设置为“所有用户”可以让网站按需要运行。但是,我想知道这样做会造成多大的安全漏洞...
Some progress, but no real solution yet.
Following the advice here was useful: FastCGI Docs
Especially the Security Recommendations section. This got my errors out of FASTCGI 500 and into the php error log.
It appears that PHP/IIS/FastCGI wants to access the session directory (mine is C:\PHP\Session) via whatever user attempts to authenticate instead of the anon user.
Setting "Modify" permissions on that folder to "All Users" allows the site to work as desired. However, I'm then wondering how big of a security hole I'm creating by doing this...